cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2481
Views
15
Helpful
6
Replies

How to enable Command Authorization in ACS?

rajeev.payal
Level 1
Level 1

hi,

I have ACS 4.1 for Windows!!

I am testing Cisco6513 for command authorization for a user.

The problem is that the switch is authorizing the commands which i have denied in ACs for that particular user.

I am attaching the screen shots.

Can any one tell me what i am missing?Does i need to put some some commands in 6513 to enable command authorization in the ACS?

My Switch config for ACS is:

aaa new-model

aaa group server tacacs+ name1

server ACSserver1

!

aaa authentication login default group name1 local

aaa authentication enable default group name1 enable

aaa authorization exec default group name1 if-authenticated

ip http authentication aaa

tacacs-server host ACSserver1

no tacacs-server directed-request

tacacs-server key xxxxx

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

View solution in original post

6 Replies 6

Jagdeep Gambhir
Level 10
Level 10

You are missing these commands,

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization config-commands

Regards,

~JG

Do rate helpful posts

abhay_i386
Level 1
Level 1

Hi,

You need to apply these commands for authentication & authorization on the router/switch and ACS server.

aaa new-model

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa authorization network default group tacacs+

U can also exclude ur console from AAA --

line con 0

login authentication local_auth

exit

Plz rate it if helpful .....

Thanks to both of you..Problem solved!!

I have been looking for the command to exclude the console port but haven't found it. Can someone point me in the right direction?

For that you need to set up a method list,

Username test privilege 15 password test

aaa new-model

aaa authentication login vty_login group tacacs local

aaa authentication login console_login local

aaa authorization exec vty_login group tacacs local

tacacs-server host key cisco

line vty 0 4

login authentication vty_login

line con 0

login authentication console_login

Regards,

~JG

Do rate helpful posts

thank you very much.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: